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A choreography describes a transaction in which several principals interact. Since choreographies 
frequently describe business processes affecting substantial assets, we need a security infrastructure 
in order to implement them safely. As part of a line of work devoted to generating cryptoprotocols 
from choreographies, we focus here on the execution models suited to the two levels. 

We give a strand-style semantics for choreographies, and propose a special execution model in 
which choreography-level messages are faithfully delivered exactly once. We adapt this model to 
handle multiparty protocols in which some participants may be compromised. 

At level of cryptoprotocols, we use the standard Dolev-Yao execution model, with one alteration. 
Since many implementations use a "nonce cache" to discard multiply delivered messages, we provide 
a semantics for at-most-once delivery. 

1 Introduction 

Choreographies are global descriptions of transactions including business or financial transactions. They 
describe the intertwined behavior of several principals as they negotiate some agreement and-frequently- 
commit some state change. A key idea is end-point projection [5 ], which converts a global description 
into a set of descriptions that determine the local behavior of the individual participants in a choreog- 
raphy. Conversely, global synthesis of a choreography from local behaviors is also sometimes possible, 
i.e. meshing a set of local behaviors into a comprehensive global description iTTTTl . 

Because these transactions may transfer sums of money and other objects of value, or may com- 
municate sensitive information among the principals, they require a security infrastructure. It would be 
desirable to synthesize a cryptographic protocol directly from a choreography description, to control how 
adversaries can interfere with transactions among compliant principals. Corin et al. (6] have made a sub- 
stantial start on this problem, with further advances described in Q. However, many questions remain, 
for instance how to optimize the generated cryptographic protocols, how best to establish that they are 
always correct, and indeed how best to define their correctness. 

This last question concerns how to state what control the protocol should provide, against adver- 
saries trying to interfere with transactions. It is a substantial question because the execution model that 
choreographies use is quite distant from the execution model cryptographic protocols are designed to 
cope with. For instance, choreographies use an execution model — or communication model — in which 
messages are never received by any party other than the intended recipient, or if the formalism represents 
channels, they are received only over the channel. Moreover, messages are always delivered if the recipi- 
ent is willing to receive the message. Messages are delivered only if they were sent, and specifically only 
if they were sent by the expected peer. Finally, they are delivered only once. These aspects of the model 
mean that confidentiality and integrity properties are built into the underlying assumptions. A security 
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infrastructure is intended to justify exactly these assumptions, i.e. to provide a set of behaviors in which 
these assumptions are satisfied. 

Naturally, these behaviors must be achieved within an underlying model in which the adversary is 
much stronger. In this model — typically called the Dolev-Yao model, after a paper [8] in which Dolev and 
Yao formalized ideas suggested by Needham and Schroeder lfl2l — all messages may be received by the 
adversary, so that confidentiality needs to be achieved by encryption. They may be delivered zero times, 
once, or repeatedly, and they may be misdelivered to the wrong participant. When delivered, a message 
may appear to come from a participant that did not send it. The adversary may alter messages in transit, 
including applying cryptographic operations using keys that he knows, or may obtain by manipulating 
the protocol. 

Digital signatures may be used to notify a recipient reliably of the source of a message (and of the 
integrity of its contents). Symmetric encryption may also be used to ensure authenticity: a recipient 
knows that the encrypted message was prepared by a party that knew the secret key, and intended it for 
a peer that also knew the secret key. Nonces, which are simply randomly chosen bitstrings, may be used 
to ensure freshness. The principal P that chose a nonce knows, when receiving a message containing it, 
that the nonce was inserted after P chose it. Moreover, if P engages in many sessions and associates a 
different nonce with each, P can ensure that messages containing one nonce cannot be misdirected to a 
session using a different nonce. 

In this paper, we begin the process of relating the Dolev-Yao model of execution to the choreography 
execution model. This is a key step in generating cryptographic protocols and proving them faithful to 
the intent of the choreography. In particular, we represent the two execution models using the strand 
space model lfl3llT0l . 

Goals of this Paper. We provide a few definitions and an example to indicate how the strand space 
framework can relate choreographies to the cryptographic protocols that implement them. 

In particular, we consider a very simple choreography language, and provide a semantics for it as a 
set of "abstract bundles." That is, each session of the protocol executes according to one of the bundles 
predicted by the semantics. Moreover, any collection of sessions that may have occurred takes the 
following form: its events partition into bundles that are obtained by instantiating the parameters in 
bundles given in the semantics. Also, if two nodes belong to different partition elements, there is no < 
ordering between them, unless the executions are generated as parts of some higher-level choreography 
that might determine a causal ordering. 

We call this an abstract bundle semantics because it builds in the assumptions of the choreography 
level: messages do not have explicit cryptographic operations, and the choreography-level communi- 
cation assumptions are satisfied. Messages are always delivered exactly once; sender and recipient are 
never mismatched; no message is created by adversary operations. We must connect this idealized se- 
mantics with a more realistic semantics at the cryptographic level, in which the adversary may be active. 

One peculiarity of our message datatype is that we allow "boxes." A box [M] pp > is a message prepared 
on role p that can be opened only by a principal playing role p'. At the choreography level, this property 
is enforced by a type system. We use these boxes to make explicit the confidentiality and authentication 
requirements of a choreography in the case where some roles are played by compromised participants. 
However, in this article, we focus on the simplest case, in which no participants are compromised. That 
is, we will assume here, that any participant who is sent a box, will behave only as predicted by the 
choreography. 

Our semantics at the cryptographic level is a standard strand space treatment, except for one ingre- 
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dient. Namely, this semantics assumes that some kinds of messages are delivered at most once. These 
are session-initiating messages that contain a nonce, or in some protocols a freshly generated session 
key. Implementations now use a nonce-caching technique in which the nonces of previously executed 
sessions are retained in a cache. A new incoming message contains a nonce which is compared against 
the cache; if it is present, then with overwhelming probability there has been a replay attempt, and the 
message is discarded. Otherwise, the nonce is recorded and the session proceeds. So as not to need to 
retain nonces forever, implementations typically combine this with a timestamp, and assume that un- 
compromised principals are loosely synchronized. A message with too old a timestamp is discarded. 
Nonces may be dropped from the cache when their timestamps have expired. In this approach, the nonce 
and the timestamp must appear digitally signed in the incoming message to prevent manipulation by the 
adversary. 

We define a cryptographic protocol to properly implement a choreography if, when abstracting its 
possible executions in this at-most-once semantics, we obtain exactly the possible executions of the 
abstract bundle semantics for the choreography. 

We explore here a simple example in which the participants are well-known to each other from the 
start of the transaction. However, the ideas also apply when additional participants may be chosen during 
execution, and keys must be distributed as part of the message flow. 

2 Strand Spaces 

Strand spaces lfl3llT0ll were developed as a simplest possible model for cryptographic protocol analysis, 
but are also applicable to other kinds of distributed systems. In strand spaces, we consider strands, 
behavioural traces for roles represented as finite linear sequences of transmission and reception events. 
The model provides techniques for analysing how various strands can be combined together in a run of 
a protocol including some adversary behaviour. 
Let A be a set of messages. 

Definition 1 (Strand Space). A directed term is a pair denoted by ±a (for a a message £ A) where 
± G { — ,+}/$ a direction with + representing transmission and — reception. A trace is an element of 
(=LA)*, the set of infinite sequences of directed terms. 

A strand space is a set S equipped with a trace mapping tr : S — > (±A)* and its elements are called 
strands. 

If s is a strand in some strand space S then its i member denotes the i transmission or reception event 
in s. Formally, we interpret this as the pair s, i, which we call a node on the strand s. 

We write m n when, for some s and i, m = s,i and n = s,i + 1, i.e. n is the node immediately 
following m on the strand s. We write msg(?i) for the message sent or received in the directed term of 
n. That is, if n = s,i, and s(i) is a transmission +? or reception —t of message t, then msg(«) = t. We 
occasionally write dmsg(«) = ±t for the message together with its direction. We write m — > n when for 
some t, dmsg(m) = +t and dmsg(?i) = —t. Thus, n could receive its message directly from m. 

But how can strands be combined together in order to represent executions of a protocol? This is 
precisely captured by the notion of bundle for a strand space S: 

Definition 2 (Bundle). A finite acyclic directed graph S3 = (jV , $ , is a bundle for S if 

1. JV is a set of strand nodes in S such that ifn G JV and m=?n, then m G .jV ; 

2. S =— >@ U where 
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(a) =>gg is the restriction of "=> to nodes in J/ '; 

(b) -><gC (-> n^K x ^K); and 

(c) for any reception node n £ jV , there is exactly one transmission node m £ ,yV such that 
m n. 

n <ag m iff there is a path using arrows — >@ U ^>ggfrom n to m in £3. 

A bundle is a causally well-founded graph - essentially, a Lamport diagram - built from strands and 
transmission edges. The relation <ag is a well-founded partial order, meaning that the bundle induction 
principle holds, that every non-empty set of nodes of SB contains -< ^-minimal members. 

The notions of strand and bundle, and the principle of bundle induction, are the essential ingredi- 
ents in the strand space model. Choices - such as what operations the adversary strands offer, or what 
additional closure properties bundles may satisfy - can vary to model different problems concerning 
cryptographic protocols or distributed communication more generally. 

Example. We briefly introduce an example in order to clarify the concepts introduced above. Let S be 
composed by the following strands: 

(1) n\ => «2 (2) «3 => «4 (3) «5 =>■ «6 (4) nj n% n$ =>• n\o (5)nn=>ni2 

where 

dmsg(m) = +"Hello" dmsg(« 2 ) = -"Bye" 

dmsg(«3) = +"Good luck" dmsg(«4) = —"Thanks" 
dmsg(«5) = —"Good luck" dmsg(ng) = +"Thanks" 

dmsg(n 7 ) = —"Hello" dmsg(ng) = —"Good luck" dmsg(nci) = +"Thanks" dmsg(nio) = +"Bye" 

dmsg(nn) = —"Thanks" dmsg(nn) = +"Bye" 

Below, we report two possible executions in the strand space S (for clarity, we label — > with the 
corresponding message): 



"Hello" 



Good luck 
« 3 ► n 5 

Ji Thanks •U- 

«4 -« «6 



n 7 

m 

«9 



"Good Luck" 



"Thanks" 



n 2 



"Bye 



Note that strand (5) could interfere allowing for the following bundle: 



"Hello" 
n\ ► « 7 

I 

m 
II 

«9 



'Good Luck" 



"Thanks" 



«3 



n 2 



'Bye" 



n u 

I 

"12 



« 3 
«4 
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3 An Execution Model for Choreography 
3.1 The Calculus 

Syntax. Let p range over the set of roles ffl. The syntax of our choreography mini-language (based on 
the Global Calculus Q) is given by the following grammar: 

C::= E/Pi^pziopi^.Ql M ::= v | [M} piP2 

Above, the term Z,pi — > P2 : opi(M,). C, describes an interaction where a branch with label op ; is non- 
deterministically selected and a message M,- is sent from role pi to role P2. Each two roles in a choreog- 
raphy share a private channel hence it would be redundant to have them explicit in the syntax El . 

Term denotes the inactive system. A message M can either be a value v or a box [M] piP2 . The latter 
denotes a tuple of messages M ( - from pi that can only be opened by P2. 

Syntactic Assumption. The sender of a choreography of the form £, pi — s- P2 : opi(M,). Q is p\. We 
assume, for every choreography C: 

• all op's are distinct. 

• in any path in a choreography syntax tree, a box [M] PlP2 has to occur first in an interaction whose 
sender is p\ and can only be opened by p 2 in later interaction; 

• if C = Z;Pi — > P2 : opi(M;). Q then either Q = or the sender of Q is P2 for all Q; 

The last assumption above requires that the receiving role in an interaction is always the transmitting role 
in the subsequent interaction. All the assumptions above can be statically checked EJ. 

LTS Semantics. Our mini-language can be equipped with a standard trace semantics with configura- 
tions C -^4 C where fx contains the parameters of the interaction performed i.e. it ranges over the set 
& x & x (J x ^# where (J is the set of operators op and the set of messages. The following rule 
formally defines the relation which is taken up to commutativity and associativity of +: 

(C-COM) : 

I ! .p 1 ^p 2 :o Pi (M i }.Q {P ^' M) Q 

Buyer-Seller Example. We report a variant of the Buyer-Seller financial protocol [5]. A buyer (or 
client) C asks a seller S for a quote about a product prod. If the quote is accepted, C will send its credit 
card card to S who will forward it to a bank B. The bank will check if the payment can be done and, if 
so, reply with a receipt receipt which S will forward to C. In our syntax: 

1. C — >• S : req(prod). S — > C : reply(quote). 

2. ( C -4 S : ok([card]cB)- S -4 B : pay([card] C B}- ( B -4 S : okcf( [receipt] B c}- 



3. S -4 C : rcpt([receipt]Bc) 

4. + 

5. B — > S : nopaycf (). 

6. S — > C : nopay() ) 



7. + 

8. C — > S : ref use(reason)) 
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Line 1. denotes the quote request and reply. Lines 2. and 8. are computational branches corresponding 
to acceptance and rejection of the quote respectively. If the quote is accepted, C will send its credit card 
in the box [card]cB meaning that S cannot see it. The card number is then forwarded to B who can open 
the box (line 2.). If the transaction can be finalised a receipt is forwarded to C. Otherwise, a nopay 
notification will be sent. B boxes the receipt so that it cannot be seen or changed by S. 



3.2 Abstract Bundle Semantics (ABS). 

We introduce an alternative semantics for choreography based on bundles defined as judgements of the 
form: 

|=C>{(#i,whoi),...,(# /> who f )} 

where {38, who) is a bundle environment. Given a role p, who(p) denotes the strand in the bundle 38 
associated to the behaviour of p. The abstract bundle semantics [C] = {(^i,whoi), . . . , {38{, who,-)} if 
and only if \= C \> {(^i,whoi), . . . , {38i, who,-)}. The relation |= is the minimum relation satisfying the 
following: 

(ABS-COM) 



Vi. h Q > { {38 n , whon ) , . . . , (%. , who i7i ) } 



H EiPi -> P2 ■ opi(M/). Q > ( U i {(% i ,who j7i )}y j [pi,p 2 ,op i (M i )] ) 

/ . ^ „ r, \ e fresh 

ABS-ZERO) — — -7 — = — r 

v ; |=0> {{eP} p ,Xp.eP) 

The abstract bundle semantics provides a set of bundles which represents all executions of the protocol 
described by the choreography. In (ABS-COM), (^y j ,who/y.)[pi,p2,op I -(M,-)] denotes a new bundle ob- 
tained from where the two strands who !;/ (pi) and who;; ; (p2) are prefixed with the events +op ; (M,) 
and — op j {Mi) respectively. The function who ;y - is updated accordingly. Formally, 

{38 ,\Nho)[ii] = { {jV U {riiji, & U{n,- who(p,-)},-U{«i -^n 2 },<'), who[p ( - (->• n,- =^ who(p/)] ; ) 

where -<' is the update of -<@ according to the new elements added to the bundle and 38 = {jV , S ■<&)• 
The operation above is applied to all those bundles obtained from the semantics of each branch and the 
result will be their union. In (ABS -ZERO), we augment the set A with fresh events {e p } E E in order to 
distinguish each strand. 



ABS Example. The ABS for the Buyer-Seller protocol has three bundles corresponding to its possible 
executions, namely: (i) C accepts the quote and B successfully finalises the transaction sending back a 
receipt; (ii) C accepts the quote but B does not accept the payment; and (iii) Buyer does not accept the 
quote with reason reason and the protocol terminates. The three corresponding bundles are reported in 
Fig- CD The nodes marked with * are those points where there is a possibility of branching i.e. bundle (ii) 
is identical to (i) up to its * while (iii) is identical to (i) and (ii) up to its *. Note that (iii) only involves 
roles C and S. 



In the sequel, let (^,who)\[p] be defined as follows: 

38' if 38={3B',w\\o)\\i\ 

undefined otherwise 



?,who)\[p] 



Intuitively, the operation above is inverse to (^,who)[p] i.e. removes the first communication from a 
bundle (if equal to p, undefined otherwise). We can then conclude this section with a result that relates 
the LTS semantics to the bundle semantics. 
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req(prod) 



(i) 



reply(quote) -V- 



^ Ok([card]c B } ^ pay([card] C B) D 
* ► • » b 



rcpt([receipt] B c) ^ okcf ([receipt] B c) ^ 



C . . . as in (i) . . . S . . . as in (i) . . . B 



(ii) 



nopay() 



nopaycf () 



(iii) 



req(prod) 



reply(quote) 



•V- refuse(reason) 



Figure 1: Bundles for the Buyer-Seller protocol 



Theorem 1. Let C be a choreography. Then, 

1. ifC -A C' ?/j<?« ?/i<?r<? exists a bundle 38 in [Cj swc/i [[C']] = [[C]]\({^} UL) U {^\[jU]}./br 
L = {33' | ^ € [[C]] A S3\\\x\ is undefined}; 

2. if ' 38\[}l\ is defined and 38 6 [Cj f/ien f/iere exists C' such that C C'. 



4 An execution model for Cryptoprotocols 

Cryptographic protocols are modelled by strand spaces where the set of messages a is more general. 
Formally, crypto-level messages, denoted by the syntactic category t have the following syntax: 

t::= v | Wh 

Above, the value v ranges over the disjoint union of infinite sets of nonces (denoted by 7Y), atomic keys 
(denoted by K) and other basic values. We will write a sequence of messages in the form vi" ... "v^. A 
node of a protocol IT is regular if it lies on a strand of IT, not on an adversary strand. 

Definition 3 (Deliver-once). Suppose that S is a set of messages, and 38 is a bundle. 38 delivers messages 
in S only once if there exists an injective function /:/?—> T, where 

• R is the set of regular nodes n in 38 such that a member ofS is received on n, and 

• T is the set of regular nodes n in S3 such that a member ofS is transmitted on n. 

When {Si}t e i is a family of sets indexed by i € /, we say that S3 is deliver-once for {£,};<=/ when S3 
delivers messages in each 5,- only once. 

We typically apply this definition when / is a set of values that will be generated freshly, and S; is a 
set of messages of particular forms containing one such value i (Kj^ in the example below). 
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C 



m 6 m 5 



mi x 



m 6 y 



S 
I 

I 
■ • 



m3 x 



m 4 y 



m^ m2 



m4 m=, 



B 



mi = j|csC~£ / W4p Llbk ( S ) 
m 3 = |sbC^AT4p ubk ( g ) 
m 5 = {|bck^Vr^4 pubk ( C) 



m 2 = {|cbC~S / WiB-p ubk ( B ) 
m 4 = {|bskA^ 2 ^i^fol pu bk(B) 
m 6 = §sckNi~N 2 ~K sc $ pubk (c) 



Figure 2: Key exchange phase 



Cryptoprotocol Example. The Buyer-Seller cryptoprotocol implements the choreography example of 
Section [3] It provides parametric strands that define the behaviors of the principals as they send and 
receive encrypted messages to provide security services for the behaviors in the choreography. The 
central idea is that the first few messages use public encryption keys and nonces to establish symmetric 
keys. The remaining messages then use the keys in a straightforward way. To establish a key between 
A and B, A sends a message containing a nonce, encrypted with fi's public key. B returns a message 
encrypted with A's public key. It contains A's nonce as well as a fresh symmetric key to be used for 
this session. We use different syntactic tags in each encrypted unit which correspond to the op's in the 
choreography (denoted by the typewriter font op). At this level, the tags ensure that no unit can be 
confused with any other (this is the reason why the op's are all distinct at choreography level). The key 
exchange phase takes the form shown in Fig. [2] Each participant leaves the key exchange phase knowing 
that Ni,N2 are shared among C,S,B, and that two symmetric keys are to be used for encryption in the 
next phase. For instance, C knows to use K sc to communicate with the seller in the ensuing exchange, 
and to use Kj, c to communicate with the bank. 

In the ensuing stage, the participants use these keys to transfer the payloads amongst themselves. 
Their exchange — in the successful case, in which the transaction completes — takes the form shown in 
Fig. [3] However, C and B each have an opportunity to prevent the exchange from completing, at the 
nodes marked *. If C transmits |]refuse|}x JC instead of p^, then S must terminate the exchange before 
contacting B. Iffitransmits -flnopaycf jjnopayH^ §K bs instead of ps\p6/y], then 5 and C must terminate 
the transaction. 

Let us assume that the participants of a run use their private decryption keys only in accordance with 
this protocol, and that the nonces Ni,N2 and keys Kj, c ,Kj, s ,K sc are in fact freshly chosen and unguessable. 
On this assumption, there are essentially only three possible executions, if we consider only those of 
minimal size, given that a role completed. When C completes normally, then the other participants have 
completed normally with matching parameters. When S completes with a client refusal, then C has 
refused and B has had a matching key exchange phase but no more. When C completes with a nopay 
message, then B has refused to pay, and S has been informed of this. This analysis indicates that the 
protocol appears to achieve its goals. Indeed, we have confirmed this with the tool CPSA, a Cryptographic 
Protocol Shapes Analyzer Q, which enumerates the minimal, essentially different executions of the 
protocol. We can then check the assertions we have just made by inspecting those executions. 
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pi = IreqA^C^TB^prod^ p 2 = ^reply quote^. 

P5 = flokcf y$ Kis p 6 = ^rcpt receipt}^ 

Figure 3: Payload exchange phase 



5 Abstraction and Correctness 



A partial function a over messages is an abstraction map if (1) a(t) (if defined) contains no crypto- 
graphic operators, nonces nor keys, and (2) the parameters in a(t) (if defined) always appear in t. 

For instance, a could map {]reqA'2~C~S"B~prod $k sc to req(prod) in our Buyer-Seller example. The 
result has no cryptography and no nonces, and the tags req and prod appear in the argument. 

We say that an abstract strand s is an image of a cryptographic strand s c if, ignoring transmissions or 
receptions on s c , for which a is undefined, for each transmission or reception node n on s, its message 
msg(n) is a(msg(n c )), where n c is the corresponding transmission or reception node (resp) on s c . That 
is, a yielding the trace of s, when mapped through the trace of s c restricted to the domain of a. 

Suppose that a concrete strand s c has its first i nodes in a concrete bundle ff, but a is undefined for 
the messages on these nodes. We then say that s c is abstractly vacuous in c £. In the opposite case, when 
some node n of s c is in ^ and a(msg(n)) is well-defined, we say that s c is abstractly non-vacuous in c €. 

An abstract bundle 3$ is an image of a cryptographic bundle ^€ if (1) there is a bijection between 
the abstractly non- vacuous regular strands s c of ^ and the regular strands s of 3§; (2) (j>(s c ) is always an 
image of s c ; and (3) the transmission relation — >gg is formed by connecting nodes of SB such that m^ggn 
implies m c n c , for some concrete nodes of which m,n are images. See for a related notion of 
protocol transformation, and HI for an approach to protocol verification via abstraction functions. 

Suppose that ^ is a concrete bundle and is a family of sub-graphs of ^£ that partitions the 

regular nodes of c € . We say that separates c € into components when each ^ is a bundle on its own. 

Definition 4 (Faithfulness). Cryptoprotocol IT is faithful to choreography C if there is an abstraction 
function a such that: 

1. Every SS € [[C]] is an image of some bundle ^£ ofH; 

2. Ifrf is a bundle ofU, then some family separates & into components. Moreover, each image 
3§i of any is an initial sub-bundle of c{£%), for some 3§ 6 [[C]] and some substitution o. 
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If {Si}t e j is a family of sets of messages, then IT is faithful to C assuming the deliver-once property for 
{Si}iei if the above holds for bundles of II that are deliver-once for {5,}/ s /. 

Faithfulness in the Buyer-Seller protocol. We use the protocol analysis tool CPSA Q as part of a proof 
that the protocol of Fig.[2]and Fig.[3]is faithful to the choreography in Fig.Q] There are three stages: 

1. CPSA determines the minimal, essentially different executions that are possible, given that any one 
party has had a complete run. 

These are the expected success execution A 4 and failure execution Ay, Ay/, modulo the fact that 
a party never knows whether its last message was successfully delivered, if its last action is a 
transmission. In particular, the active parties agree on all parameters to the session. 

2. Based on this CPSA output, inspection shows that Def. 01 Clause[T]is satisfied: Any run 3$ € [Cj 
is the abstraction of some concrete bundle % '. 

3. Because A. s , Ay, Ay are the only minimal forms of execution, every larger execution SS C is a (pos- 
sibly non-disjoint) union of executions of these forms. That is, there is a family of maps {//,},-, 
where each Hi maps either A s or Af to some subset of the regular nodes of SS C . Moreover, each 
regular node n G .% c is the image of some node in A s , Ay, or Ay under at least one of the Hj. 

However, each pair of strands agrees on a pair of freshly chosen values, where each of them has 
chosen one of the values. This forces the range of //, and Hj either to coincide or be disjoint. 
Hence Clause |2] is satisfied when we define the family {%}, by saying that two nodes belong to 
the same if they are both in the range of any one Hj. 

6 Concluding Remarks 

We have introduced two execution models, one for choreography (assuming no compromised partici- 
pants) and one for cryptoprotocols with deliver-once assumptions. The abstract bundle semantics gives 
a set of bundles representing all the possible runs of the protocol described by a choreography. We have 
sketched a form of argument for proving that a cryptoprotocol is faithful to the ABS of a choreography. 

In H, we studied an abstract semantics for the choreography language presented here where roles can 
belong to compromised principals. The ideas of abstraction have yet to be extended to the compromised 
case and to a choreography language with infinite states. The work by Bhargavan et al. in [3] HI is 
closely related to ours: they provide a compiler for generating ML code that can then be type-checked 
for verifying its security property. Their notion of faithfulness is guaranteed for the well-typed code 
generated from the source choreography. 

In future work, we aim at developing systematic techniques for proving that certain transformations 
preserve all of the goals of a protocol, while achieving additional goals J9). 
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